拦截请求并检查授权,playframework [英] Intercept request and check authorization in playframework
问题描述
我用游戏框架2.4.2 Java和我想验证通过拦截所有请求,并检查一个用户登录,如果一个会话值设置。所以,我已经延长<一个href=\"https://www.playframework.com/documentation/2.4.2/api/java/play/http/DefaultHtt$p$pquestHandler.html\"相对=nofollow> DefaultHtt prequestHandler 并重写 createAction 方法拦截所有请求。但是,我还没有找到验证会话的好方法。
I'm using play framework 2.4.2 with Java and I want to validate that a user is logged in by intercepting all requests and checking if a session value is set. So I have extended the DefaultHttpRequestHandler and overridden the createAction Method to intercept all requests. However, I have not found a good way to validate the session.
当我尝试获取会话值我得到一个运行时异常:没有可从这里
When I try to fetch the session value I get a runtime exception: There is no HTTP Context available from here
下面是我的工作类:
public class RequestHandler extends DefaultHttpRequestHandler {
@Override
public Action createAction(Http.Request request, Method method) {
session("loggedIn"); // Throws runtime Exception: no HTTP Context
}
}
选项2 - 丑
由于会话在技术上是一个cookie我可以检索从code像下面的标题中值:
Option 2 - Ugly
Since the session is technically a cookie I can retrieve the value from the header with code like the following:
for(String cookie : request.headers().get("Cookie")){
System.out.println("cookie: "+cookie);
}
但后来我不得不解析cookie字符串看起来像下面的行获得的loggedIn值。脏了我的口味。
But then I have to parse the cookie string which looks like the following line to get the loggedIn value. To dirty for my taste.
_ga=GA1.1.1508004144.1421266376; ki_r=; ki_t=1438789543788%378129908%3B1438789543788%3B1%3B1; PLAY_SESSION=0570411c3eb55ad230681539ddcfaa4220583fd-loggedIn=1
选项3 - 太容易忘记注释
我发现一些网站记录了不同的方法,而是创建一个结果
动作组成,并添加相应的注释,以每个控制器类或方法。
Option 3 - Too easy to forget the annotation
I notice some websites document a different approach and instead create an
action composition and add the appropriate annotation to every controller class or method.
使用这种方法的问题是它需要的显影剂记得要添加的注释。我想preFER扭转这一缺省阻止所有的路线,然后添加注释到不需要验证的路由信息。
The problem with this approach is it requires the developer to remember to add the annotation. I would prefer to reverse this to block every route by default and then add an annotation to the routes that do not need the validation.
一对夫妇的网站,文档操作组成:
A couple sites that document action composition:
- 的http://alexgaribay.com/2014/06/16/authentication-in-play-framework-using-java/
- https://www.playframework.com/documentation/2.2.1/JavaGuide4
- http://alexgaribay.com/2014/06/16/authentication-in-play-framework-using-java/
- https://www.playframework.com/documentation/2.2.1/JavaGuide4
有没有办法在全球范围内验证,如果用户应该能够访问一个页面,我怎么在会话变量得到什么?
*请注意,我不感兴趣,在使用第三方插件进行身份验证。
*Please note that I'm not interested in using a third party plugin for authentication.
推荐答案
即使我会重新考虑使用的动作成分,可以修复选项1。
Even if I would re-consider using action composition, you can fix Option 1.
创建一个自定义标注来标记不需要验证的动作。
Create a custom annotation to mark the actions that don't need validation.
@Target({ ElementType.TYPE, ElementType.METHOD })
@Retention(RetentionPolicy.RUNTIME)
public @interface NoAuthRequired {}
然后更改您的Htt prequestHandler执行。
Then change your HttpRequestHandler implementation.
public class RequestHandler extends DefaultHttpRequestHandler {
@Override
public Action createAction(Http.Request request, Method actionMethod) {
return new Action.Simple() {
@Override
public F.Promise<Result> call(Http.Context ctx) throws Throwable {
// if the action is annotated with @NoAuthRequired or user is logged in delegate to it
if (actionMethod.isAnnotationPresent(NoAuthRequired.class) || ctx.session().containsKey("loggedIn")) {
return delegate.call(ctx);
}
// otherwise, block access
else {
return F.Promise.pure(forbidden("You're not allowed"));
}
}
};
}
}
在这种方式,每个路由需要验证,除非明确注明
In this way, every route requires validation unless explicitly annotated.
你可以从code看到,会话可通过上下文。
As you can see from the code, the session is available through the Context.
这篇关于拦截请求并检查授权,playframework的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
